Microsoft O365 Email Add-on for Splunk

The Microsoft O365 Email Add-on for Splunk ingests Microsoft 365 email from a dedicated compliance mailbox through Microsoft Graph and writes the results to Splunk as JSON events. The add-on is designed for security and operational visibility. It can enrich messages with: - attachment metadata and file hashes - attachment analysis, including ZIP inspection and Office macro detection - body IOC extraction for URLs, domains, IPv4, and IPv6 values - phishing-focused link, sender, URL, HTML, and attachment risk analysis - vendor-aware URL analysis that reduces false positives for trusted redirectors such as Microsoft `aka.ms` - normalized SPF, DKIM, DMARC, and ARC result summaries - transparent message risk scoring with supporting reasons - Internet header parsing - mail relay and message path reporting - S/MIME certificate extraction - Microsoft 365 group membership snapshots through a separate input The add-on is built around disposable compliance mailboxes that receive BCC copies of mail through Exchange mail flow rules. It processes the copied messages and purges them from the compliance mailbox so production user mailboxes are not touched.